A look at some of the top stories I reported on in 2020.
Welcome to Cyber Security Today. It’s Monday December 28th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the arrow below:
It’s the last week of the year, a time when reporters often look back on the stories they’ve done and highlight ones that are significant or memorable in some way. I found four I’ve done on this podcast. I’ll talk about three of them today, all of which deal with ransomware. The fourth, a very sophisticated bank scam against an individual, I’ll talk about on Wednesday.
At October’s SecTor virtual conference Julian Pileggi of the security firm Mandiant gave advice to organizations on how to initially deal with a ransomware attack: First, disconnect the IT network from the Internet so the attackers can’t use it for communications. However, don’t disable the internal network. Do that and IT staff can’t investigate. You can block IT system-to-system communications at the network level. This stops the spread of the ransomware from computer to computer. If you’re sure it’s safe a couple of IT staff might be allowed remote access to your IT systems with their computers to help repair or restore the system — if those PCs have multifactor authentication for safe login, and if you’re sure they aren’t infected. Don’t shut computers or servers. That could make things worse.
IT staff should collect information on the ransom note and the encrypted file extensions. That can be used to search through the Internet with a safe computer to learn what type of ransomware you’ve been hit with. That may help with remediation. Some strains of ransomware have been cracked by security companies who offer free decryption keys that can be used by skilled IT staff or consultants.
Don’t contact the hackers until getting advice from your company’s lawyer.
Preserve and protect your backups, if they’re available and unencrypted. Block IT system-to-system communications at the network level. This stops the spread of the ransomware from computer to computer.
Don’t destroy evidence or wipe compromised systems. Make a copy if necessary — and if you’re sure it isn’t infected. Remember your forensics team, insurers and the police want to see systems in their original state.
The best way to prepare for ransomware — or any cyber attack — is have and practice an incident response plan.
At the MapleSec conference IT World Canada organized in October my podcast co-host Terry Cutler told some chilling stories of the many data breach investigations he’s worked on. One company was in such bad shape after a ransomware attack its systems kept getting re-infected after software was re-installed on all of its computer systems. It turned out the laptop being used by a technician to help restore service hadn’t been thoroughly scrubbed. It was spreading malware. The lesson: After a cyber attack every computer used for recovery has to be pristine. The same organization had a heck of a time restoring data from ancient backup tapes. The lesson: Practice data recovery before a security incident so problems are revealed.
In November I came across a report about a ransomware attack that from start to finish took only eight hours. Usually IT and security teams have days or weeks to detect a successful cyber attack before malware is launched. You can’t count on that anymore. According to a service called The DFIR Report a threat group launched its ransomware package eight hours after first compromising an organization. The attackers got into the firm’s Windows domain controller by somehow knowing the username and password of the administrator. The report doesn’t say if the credentials were stolen or the administrator was tricked into giving them away. Regardless, the account wasn’t secured with multifactor authentication. And the account was senior enough that the attacker could move to other internal systems, which yielded their passwords. It seems like the security of this organization wasn’t very good because the attacker could disable security tools on systems. After only seven hours of looking around the ransomware was spread. The ransom note demanded about $88,000 in bitcoin.
There are a couple of lessons from this attack: Forcing two-factor authentication for all users is vital. IT administrators should have to use stronger multifactor authentication. Things have to be set up to prevent an attacker doing what this one did — move across systems. Automated computer network monitoring has to be installed to watch for suspicious activity.
Finally, once a year hire someone outside the organization to look over the entire IT system to see where the flaws are. Cybersecurity takes time and money. If you don’t spend it then in eight hours you could be out of business.
That’s it for today. Links to details about today’s stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon